Skip Menu |

This queue is for tickets about the Crypt-Password CPAN distribution.

Report information
The Basics
Id: 98826
Status: open
Priority: 0/
Queue: Crypt-Password
People
Owner: Nobody in particular
Requestors: CDRAKE [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Fri Sep 12 04:41:13 2014 CDRAKE [...] cpan.org - Ticket created
Subject: Philosophical error - should never use a hash (salted or not) to protect a password
Hashes should never be used for password protection, nor should "crypt" (since it uses hashes). offline dictionary attack is your enemy. There are dedicated solutions to this fascinating problem, which are generally called "Password Based Key Derivation Functions" - they all boil down to the same plan: you need to work out the computational power available in your architecture, and the rate at which passwords need to be checked, and pick a corresponding difficulty level to feed into the protection. You can make password-checking take 100% CPU for 1 second on single-user systems (a good choice), or you may need it to take much less power on heavily loaded many-user website systems (for example). No one size fits all, but "hash" in any size fit no-one! To fix this "bug", you need to add an actual password crypt solution here, designed (properly!) specifically for passwords.
  Fri Sep 12 21:02:16 2014 nostrasteve [...] gmail.com - Correspondence added
Subject: Re: [rt.cpan.org #98826] Philosophical error - should never use a hash (salted or not) to protect a password
Date: Sat, 13 Sep 2014 13:02:03 +1200
To: bug-Crypt-Password [...] rt.cpan.org
From: Steevo Wymzelico <nostrasteve [...] gmail.com>
Ah fascinating pattern! I love being aware of this bubble of time we are in... Is that theme going anywhere around perl? It needs the One Thing to turn up aye? The spiral braiding? The mix & matcher? All this stuff is so snazzy and abstract. Anyway I myself won't be getting this moving... Anyone can take it over and win big! Go on! Observed, agree, status: benign. On Fri, Sep 12, 2014 at 8:41 PM, CDRAKE via RT < bug-Crypt-Password@rt.cpan.org> wrote: Show quoted text
> Fri Sep 12 04:41:13 2014: Request 98826 was acted upon. > Transaction: Ticket created by CDRAKE > Queue: Crypt-Password > Subject: Philosophical error - should never use a hash (salted or > not) to > protect a password > Broken in: (no value) > Severity: (no value) > Owner: Nobody > Requestors: CDRAKE@cpan.org > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=98826 > > > > Hashes should never be used for password protection, nor should "crypt" > (since it uses hashes). offline dictionary attack is your enemy. > > There are dedicated solutions to this fascinating problem, which are > generally called "Password Based Key Derivation Functions" - they all boil > down to the same plan: you need to work out the computational power > available in your architecture, and the rate at which passwords need to be > checked, and pick a corresponding difficulty level to feed into the > protection. You can make password-checking take 100% CPU for 1 second on > single-user systems (a good choice), or you may need it to take much less > power on heavily loaded many-user website systems (for example). > > No one size fits all, but "hash" in any size fit no-one! > > To fix this "bug", you need to add an actual password crypt solution here, > designed (properly!) specifically for passwords. >
  Fri Sep 12 21:02:17 2014 The RT System itself - Status changed from 'new' to 'open'